From 3b030211989e565104cef813a50a48d6e1fc7052 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com>
Date: Fri, 19 Jul 2024 13:21:35 +0200
Subject: [PATCH] SecurityPkg/SecureBootConfigDxe: Keep SB state when resetting
 the keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
---
 .../SecureBootConfigImpl.c                    | 35 +++++++++++++++++--
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index dc2cfe3e5a..f0f27b132f 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -4165,13 +4165,28 @@ LoadSignatureData (
 STATIC EFI_STATUS
 EFIAPI
 KeyEnrollReset (
-  VOID
+  IN SECUREBOOT_CONFIGURATION        *ConfigData
   )
 {
   EFI_STATUS  Status;
   UINT8       SetupMode;
+  BOOLEAN     SecureBootEnable;
+  UINTN       DataSize;
 
-  Status = EFI_SUCCESS;
+  DataSize = sizeof (SecureBootEnable);
+  Status = gRT->GetVariable(
+                EFI_SECURE_BOOT_ENABLE_NAME,
+                &gEfiSecureBootEnableDisableGuid,
+                NULL,
+                &DataSize,
+                &SecureBootEnable
+                );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot read SecureBootEnable variable: %r\n", Status));
+    /* Get the state from the from data if we failed to read the variable */
+    SecureBootEnable = ConfigData->AttemptSecureBoot;
+  }
 
   Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
   if (EFI_ERROR(Status)) {
@@ -4258,6 +4273,20 @@ KeyEnrollReset (
     goto clearKEK;
   }
 
+  /* 
+   * If Secure Boot was disabled before resetting the keys, don't change its state.
+   * Enrolling PK would enable Secure Boot automatically.
+   */
+  if (SecureBootEnable == SECURE_BOOT_DISABLE) {
+    Status = SetSecureBootState (SECURE_BOOT_DISABLE);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((
+        DEBUG_ERROR,
+        "Cannot set Secure Boot state to SECURE_BOOT_DISABLE\n"
+        ));
+    }
+  }
+
   Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
   if (EFI_ERROR (Status)) {
     DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
@@ -4969,7 +4998,7 @@ SecureBootCallback (
                            &UserSelection
                            );
       if (UserSelection == EfiHiiPopupSelectionYes) {
-        Status = KeyEnrollReset ();
+        Status = KeyEnrollReset (IfrNvData);
       }
       //
       // Update secure boot strings after key reset